Some DSL routers prevent NAT loopback. Security is sometimes cited as the reason. Is NAT loopback really a security issue? And if so, how is this exploited?

NAT loopback... where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN). Without NAT loopback you must use the internal IP address of the device when on the LAN.

EDIT: The mentions of security are admittedly from unofficial sources, which is why I would like to clarify this...

As a network engineer I work with Cisco and Brocade routers daily and
these will not allow loopback due to the inherent security issues. BT
have adopted an approach that security is very important and as with
enterprise class routers, loopback is not permitted.

Many DSL routers/modems prevent loopback connections as a security
feature.

To be honest, up until now I have always assumed that failure to support NAT loopback was simply a failure in the hardware/firmware, not a 'security feature'?! It's omission is a far greater problem IMHO. (If you hadn't guessed, my router does not support NAT loopback.)

Without a specific attack scenario, a well defined threat, a well defined event that is supposed to not happen ... this "security" claim has no merit whatsoever.
–
curiousguyJun 22 '12 at 1:30

"admittedly from unofficial sources" unofficial is not the problem here. The problem is: "will not send out and receive data on the same interface (Loopback), as this is a security risk" is crazy talk. Which device does not "send out and receive data on the same interface"???
–
curiousguyJun 22 '12 at 1:53

1

What you describe (a router sending information to itself, to be received on the same interface) sounds a bit like a LAND attack to me. (en.wikipedia.org/wiki/LAND) However, I believe the situation might be a somewhat different with NAT involved. I'd like to see someone answer this with more specifics to that regard.
–
IsziJun 22 '12 at 2:28

@IsziRoryorIsznti "loopback" has nothing to do with "LAND", or source address spoofing, or any other IP attack. A loopback session on a NAT device is started by a TCP or UDP packet with a destination address which is the external (usually public, Internet) IP address of the NAT device and a source IP address which is an internal (usually private, non-Internet) address
–
curiousguyJun 22 '12 at 6:32

The "security" bit probably relates to bogon traffic; theoretically if the in and out interface is the same, then your router should never see the traffic in the first place. This isn't strictly speaking true, but some people pretend it is.
–
tylerlJun 23 '12 at 21:05

Now, you ask, why doesn't the router SNAT the connection from Computer1 to the router's internal IP when it DNATs it to Computer2? Because the SNAT rule would make a mess of all the rest of the traffic which doesn't follow the pattern above.

SNAT really should only be used in one direction unless you're willing to put a lot of time and care into crafting and maintaining a NAT ruleset that won't bite you.

I would point out that this rule would affect not only to NAT-loopback traffic, but also to bridge traffic (e.g. WiFi network to Wired network), which would make a WiFi router frustratingly broken. The rule would have to be tailored to match ONLY the loopback traffic, which is slightly more tricky and probably involves marking packets. Not impossible, but not the sort of engineering and debugging that goes into most routers; and certainly fraught with peril.

"bridged traffic still transits the kernel" but bridged traffic should not be iptables -t nat POSTROUTING-ed "flow diagram" interesting, but I am not sure I understand this diagram: where IP, where is Ethernet?
–
curiousguyJun 23 '12 at 6:58

@curiousguy Bridging is not significantly different from routing; you just forward ALL traffic by default. In the diagram, blue boxes are ebtables processing hooks while green ones ar iptables hooks. Note that iptables is consulted even for bridge traffic. The IP fields may or may not be present on all ethernet frames, but if they are present, they can be examined.
–
tylerlJun 23 '12 at 7:15

"Note that iptables is consulted even for bridge traffic." I see. This is surprising. Anyway, you absolutely do not want to mess with -s 10.0.0.0/24 -d 10.0.0.0/24 traffic. The NAT-device is only concerned with traffic to its external IP address.
–
curiousguyJun 23 '12 at 18:54

The only loopback isssue that I can remember in my early days was hooking both ends of a cat5e's RJ45 to the same switch and messing up the LAN's connectivity. Back then, we call it a loopback. But it's pretty more technical rather than security issue.